Deploy Secure Tunnel

This topic describes how to set up and configure Secure Tunnel in order to securely connect to your SIEM servers and your remote access PSM servers.

For details, see Connect to SIEM and Configure the PSMs through the Secure Tunnel wizard.

Before you begin

    1. Set the Installeruser password.

    2. Disable the antivirus agent if it is installed on your server.

    3. Consider the following:



      Connector client machine name must be unique

      The name of the Connector client machine must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

      Secure Tunnel port Check that this port is free for use. If not, see Secure Tunnel troubleshooting for steps on how to configure a different port.

      Remote access for employees

      If you are configuring remote access for your employees, you must also configure the designated PSMs. For details, see Configure remote access for employees.

      Configure Secure Tunnel to connect through a proxy server

      • This option is supported in Secure Tunnel v3.1 and up.

      • Connecting to Privilege Cloud through proxy is supported by Secure Tunnel only when SIEM/Remote Access are in a network where the internet connection is behind a proxy.

      • Connecting through a proxy applies to Secure Tunnel only, and does not affect CPM or PSM components.

Install and configure Secure Tunnel

Install and configure the Secure Tunnel on the Connector machine.

To install and configure the Secure Tunnel:


The Secure Tunnel includes an installation tool and a configuration tool. When you install the Secure Tunnel for the first time, the configuration tool is launched automatically after the installation is complete. To make changes to a previously installed Secure Tunnel, run the configuration tool.

  1. From the Privilege Cloud software package that you downloaded in Deploy the Privilege Cloud Connector, copy the Secure Tunnel zip file and unzip the package.
  2. On the Select Installation Folder page, enter the location of the installation folder, and click Next.
  3. On the Ready to Install page, click Install.

    When the installation is complete, click Finish, and the configuration tool is launched.

    If you do not want to configure the Secure Tunnel at this time, you can close the wizard and launch the configuration tool later. When you close the installation wizard, a shortcut to the configuration tool is created on the desktop. You can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  4. On the Authenticate to Privilege Cloud page, enter the following details and click Next.

    Subdomain or Customer ID
    • The subdomain is your system identifier in the system address, as displayed in the Privilege Cloud Portal FQDN: https://<subdomain>

      Enter only the <subdomain> identifier, not the whole URL.

    • Alternatively, use the Customer ID provided to you in the Welcome to CyberArk Identity Security Platform Shared Services email.

    User name & Password

    Enter the installeruser name (installeruser@<suffix>) and password that you set before you started the installation process (see Before you begin).

  5. Optionally, configure Secure Tunnel to connect through a proxy server. If you do not want Secure Tunnel to work on proxy, skip this step.

  6. On the Configure on-premise components page, add the components that you want to connect through the Secure Tunnel, and click Configure Components.

    Enter the following information:



    Component Type

    Select one of the following components:

    • SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.

    • PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.

    Host Address

    The hostname or IP address of component server.

    PSM for remote access uses TLS communication and must include a hostname.

    The following domains cannot be used as host names for Secure Tunnel configuration:






    Destination Port

    The port used for connecting the Secure Tunnel server to the component server.

    Click Advanced to display this column.

    Typically, the ports used for these components are:

    • SIEM - 1468

    If you are using different ports, edit this field for the relevant component.

    Remote Port

    The port used by the CyberArk to interface with your Secure Tunnel.

    Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.

    Each interface has a default port. For multiple instances the ports are numbered sequentially.

    Typically, the ports used for these components are:

    • SIEM - 1468 (first SIEM instance), 1469, etc.

    Access through Secure Tunnels

    You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.

  7. Optionally, only if you are configuring the Secure Tunnel to connect through a proxy server, restart Secure Tunnel:

    In Windows Task Manager > Services, restart CyberArkPrivilegeCloudSecureTunnel.

Post installation steps

After installing Secure Tunnel:

  1. Enable antivirus on the secure tunnel server.

    If antivirus is not installed on the server, install it now.

  2. Optionally, control access by defining secure zones.

    If using secure zones for controlled access, define the Secure Tunnel's internet-facing IP address as a secure zone, to ensure it can communicate with the CyberArk backend.

    If access is through a proxy, define the proxy address as a secure zone.

    Learn about access control by applying secure zones.

  3. You can now connect to secure tunnel any of the following:

Supported connections - scope

The following table includes the number of component connections, per component type, that the Secure Tunnel supports.


Max supported




Max supported